[Bug 1547865] Re: Double free in libjasper jas_icc.c

Launchpad Bug Tracker 1547865 at bugs.launchpad.net
Thu Mar 3 14:02:01 UTC 2016 

This bug was fixed in the package jasper - 1.900.1-13ubuntu0.3

---------------
jasper (1.900.1-13ubuntu0.3) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service or possible code execution via crafted
    ICC color profile (LP: #1547865)
    - debian/patches/09-CVE-2016-1577.patch: Prevent double-free in
      src/libjasper/base/jas_icc.c
    - CVE-2016-1577
  * SECURITY UPDATE: Denial of service via resource exhaustion via crafted ICC
    color profile
    - debian/patches/10-CVE-2016-2116.patch: Prevent memory leak in
      src/libjasper/base/jas_icc.c
    - CVE-2016-2116

 -- Tyler Hicks <tyhicks at canonical.com>  Fri, 26 Feb 2016 00:07:11 -0600

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to jasper in Ubuntu.
https://bugs.launchpad.net/bugs/1547865

Title:
  Double free in libjasper jas_icc.c

Status in jasper package in Ubuntu:
  Fix Released

Bug description:
  A malformed JPEG2000 image being processed by libjasper can lead to a
  double free in jas_icc.c:jas_iccprof_load(). Specifically, the
  variable "attrval" is freed via a call to jas_iccattrval_destroy on
  line 302 and then, if the program moves to the error label before
  attrval gets assigned a new value at 328, "attrval" gets freed again
  at line 357.

  To reproduce the double free is fairly simple using the libjasper-
  runtime program 'imginfo':

  test at ubuntu:~$ imginfo -f ~/test/bad.jp2

  Attached is an image to reproduce this bug. A quick note about the
  image, it appears to also exercise Bug #555238 which is a stack
  exhaustion bug in nautilus. Therefore, don't be surprised when the
  image crashes nautilus. Also attached is output from valgrind and a
  backtrace from gdb.

  lsb_release -rd output:
  test at ubuntu:~$ lsb_release -rd
  Description:	Ubuntu 14.04.3 LTS
  Release:	14.04

  apt-cache output:
  test at ubuntu:~$ apt-cache policy libjasper1 
  libjasper1:
    Installed: 1.900.1-14ubuntu3.2
    Candidate: 1.900.1-14ubuntu3.2
    Version table:
   *** 1.900.1-14ubuntu3.2 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1.900.1-14ubuntu3 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
  test at ubuntu:~$ apt-cache policy libjasper-runtime 
  libjasper-runtime:
    Installed: 1.900.1-14ubuntu3.2
    Candidate: 1.900.1-14ubuntu3.2
    Version table:
   *** 1.900.1-14ubuntu3.2 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
          100 /var/lib/dpkg/status
       1.900.1-14ubuntu3 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jasper/+bug/1547865/+subscriptions

More information about the foundations-bugs mailing list